Cannot generate CSV on nested field

Hello,

I have a nested field (Vulnerability Advisories) and I cannot generate a CSV unless I flatten the field out by converting it to a string. The problem with converting it, is it is no longer indexed. I'd like to maintain it being nested but at the same time, allow me to generate a CSV report. I hope I can have both options.

The error:

[illegal_argument_exception] field [Vulnerability Advisories] isn't a leaf field :: {"path":"/testtest/_search","query":{"scroll":"30s","size":500},"body":"{\"stored_fields\":[\"Site Name\",\"Asset Name\",\"Asset IP Address\",\"Asset MAC Address\",\"Asset OS Name\",\"Asset OS Vendor\",\"Asset OS Version\",\"Asset OS Family\",\"Vulnerability Title\",\"Vulnerability Severity\",\"Vulnerability CVSSv3 Score\",\"Vulnerability CVSSv3 Vector\",\"Vulnerability Description\",\"Vulnerability Advisories\",\"Vulnerability Proof\",\"Vulnerability Fix\",\"Vulnerability Test Date\",\"Vulnerable Since\",\"Vulnerability Published Date\",\"Asset Scan Credential Status\",\"Service Name\",\"Service Port\",\"Service Protocol\"],\"query\":{\"bool\":{\"filter\":[{\"match_all\":{}}],\"must_not\":[],\"should\":[],\"must\":[]}},\"script_fields\":{},\"_source\":{\"excludes\":[],\"includes\":[\"Site Name\",\"Asset Name\",\"Asset IP Address\",\"Asset MAC Address\",\"Asset OS Name\",\"Asset OS Vendor\",\"Asset OS Version\",\"Asset OS Family\",\"Vulnerability Title\",\"Vulnerability Severity\",\"Vulnerability CVSSv3 Score\",\"Vulnerability CVSSv3 Vector\",\"Vulnerability Description\",\"Vulnerability Advisories\",\"Vulnerability Proof\",\"Vulnerability Fix\",\"Vulnerability Test Date\",\"Vulnerable Since\",\"Vulnerability Published Date\",\"Asset Scan Credential Status\",\"Service Name\",\"Service Port\",\"Service Protocol\"]},\"docvalue_fields\":[{\"field\":\"Vulnerability Published Date\",\"format\":\"date_time\"},{\"field\":\"Vulnerability Test Date\",\"format\":\"date_time\"},{\"field\":\"Vulnerable Since\",\"format\":\"date_time\"}],\"sort\":[{\"_score\":{\"order\":\"desc\"}}],\"version\":true}","statusCode":400,"response":"{\"error\":{\"root_cause\":[{\"type\":\"illegal_argument_exception\",\"reason\":\"field [Vulnerability Advisories] isn't a leaf field\"}],\"type\":\"search_phase_execution_exception\",\"reason\":\"all shards failed\",\"phase\":\"query\",\"grouped\":true,\"failed_shards\":[{\"shard\":0,\"index\":\"testtest\",\"node\":\"ejCJ8VBZSo2rPMwAmOtrtA\",\"reason\":{\"type\":\"illegal_argument_exception\",\"reason\":\"field [Vulnerability Advisories] isn't a leaf field\"}}],\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"field [Vulnerability Advisories] isn't a leaf field\",\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"field [Vulnerability Advisories] isn't a leaf field\"}}},\"status\":400}"}

The JSON of one the documents in question....

{
  "_index": "testtest",
  "_type": "_doc",
  "_id": "NSC0001-1093-18804",
  "_version": 1,
  "_score": 0,
  "_source": {
    "Asset OS Name": "Linux",
    "Vulnerability Fix": "\n<p>\n    Use `apt-get upgrade` to upgrade linux-image-generic to the latest version.\n  </p>",
    "@timestamp": "2020-01-07T13:27:55.848Z",
    "Asset OS Version": "16.04",
    "Vulnerability Advisories": [
      {
        "Reference": "104606",
        "Source": "BID"
      },
      {
        "Reference": "DSA-4187",
        "Source": "DEBIAN"
      },
      {
        "Reference": "CVE-2018-1000004",
        "Source": "NVD"
      },
      {
        "Reference": "RHSA-2018:0654",
        "Source": "REDHAT"
      },
      {
        "Reference": "RHSA-2018:0676",
        "Source": "REDHAT"
      },
      {
        "Reference": "RHSA-2018:1062",
        "Source": "REDHAT"
      },
      {
        "Reference": "RHSA-2018:2390",
        "Source": "REDHAT"
      },
      {
        "Reference": "3631-1",
        "Source": "UBUNTU"
      },
      {
        "Reference": "3631-2",
        "Source": "UBUNTU"
      },
      {
        "Reference": "3798-1",
        "Source": "UBUNTU"
      },
      {
        "Reference": "3798-2",
        "Source": "UBUNTU"
      }
    ],
    "Vulnerability ID": 18804,
    "Service Protocol": null,
    "Vulnerability Test Date": "2019-11-14T16:53:33.515Z",
    "Asset IP Address": "1.2.3.4/32",
    "@version": "1",
    "Site Name": "test-NETWORKZ",
    "Vulnerability Published Date": "2018-01-16T05:00:00.000Z",
    "Asset OS Vendor": "Ubuntu",
    "Vulnerability CVSSv3 Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "Vulnerability Proof": "<p><p>Vulnerable OS: Ubuntu Linux 16.04<p></p></p><p>Vulnerable software installed: Ubuntu linux-image-generic 4.4.0.87.93</p></p>",
    "Service Port": null,
    "Vulnerability Description": "\n    \n<p>In the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a race condition vulnerability exists in the sound system, this can lead to a deadlock and denial of service condition.</p>\n  ",
    "Asset MAC Address": "00:50:56:a7:6b:50",
    "Asset Name": "ubuntu-1604",
    "Service Name": null,
    "type": "test",
    "Asset OS Family": "Linux",
    "Last Assessed for Vulnerabilities": "2019-11-14T16:53:33.515Z",
    "Vulnerable Since": "2019-11-14T16:53:33.515Z",
    "Vulnerability Severity": "Severe",
    "Asset Scan Credential Status": "All credentials successful",
    "Vulnerability Title": "Ubuntu: (Multiple Advisories) (CVE-2018-1000004): Linux kernel (Trusty HWE) vulnerabilities",
    "Vulnerability CVSSv3 Score": 5.900000095367432,
    "Asset ID": 1093
  },
  "fields": {
    "Vulnerability Published Date": [
      "2018-01-16T05:00:00.000Z"
    ],
    "@timestamp": [
      "2020-01-07T13:27:55.848Z"
    ],
    "Vulnerability Test Date": [
      "2019-11-14T16:53:33.515Z"
    ],
    "Vulnerable Since": [
      "2019-11-14T16:53:33.515Z"
    ],
    "Last Assessed for Vulnerabilities": [
      "2019-11-14T16:53:33.515Z"
    ]
  }

I'd appreciate any help that can be offered!

Thank you

What about adding a new field for the flattened string version? You could have both options by having additional fields as needed in the data.

It looks like this goes to a long-standing but with Reporting CSV export https://github.com/elastic/kibana/issues/25068

That's exactly what I did. Thanks for the suggestion. :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.